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Abstract. Code voting was introduced by Chaum as a solution for us¬ 
ing a possibly infected-by-malware device to cast a vote in an electronic 
voting application. Chaum’s work on code voting assumed voting codes 
are physically delivered to voters using the mail system, implicitly requir¬ 
ing to trust the mail system. This is not necessarily a valid assumption to 
make - especially if the mail system cannot be trusted. When conspiring 
with the recipient of the cast ballots, privacy is broken. 

It is clear to the public that when it comes to privacy, computers and 
“secure” communication over the Internet cannot fully be trusted. This 
emphasizes the importance of using: (1) Unconditional security for secure 
network communication. (2) Reduce reliance on untrusted computers. 

In this paper we explore how to remove the mail system trust assumption 
in code voting. We use PSMT protocols (SON 2012) where with the help 
of visual aids, humans can carry out mod 10 addition correctly with 
a 99% degree of accuracy. We introduce an unconditionally secure MIX 
based on the combinatorics of set systems. 

Given that end users of our proposed voting scheme construction are hu¬ 
mans we cannot use classical Secure Multi Party Computation protocols. 

Our solutions are for both single and multi-seat elections achieving: 

i) An anonymous and perfectly secure communication network secure 
against a t-bounded passive adversary used to deliver voting, 

ii) The end step of the protocol can be handled by a human to evade 
the threat of malware. 

We do not focus on active adversaries. 

Keywords: Voting Systems, Internet Voting, Information Theoretic Anonymity, 
Private and Secure Message Transmission, Computer System Diversity. 


1 Introduction 

Electronic voting over the Internet enables to cast votes from an Internet- 
connected device from any physical Internet accessible location compared 
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to booth based electronic voting systems developed by the cryptographic 
community Internet voting does not require voters to be physically 

present at a polling station. 

Even though secure Internet voting is in its infancy, many countries 
and organizations are considering adoption or have already done so such 
as Estonia [33] and Switzerland |2] . In Estonia, participation increased by 
17% [34]. Similarly, after lACR used the Helios Internet voting system [29] 
which allowed its member’s who are based in different geographical loca¬ 
tions to cast their secure vote online, voting increased from 20% to around 
30%-40%. 

Experts agree that achieving secure Internet voting will be even more 
difficult than booth-based electronic voting [26]. For example, the 2003 
CRA Grand Research Challenges Workshop on Information Security [T] 
ranked secure Internet voting as one of the most challenging open prob¬ 
lems in information security. These issues were put in the spotlight at the 
2013 RSA Conference panel [ID] and by Rivest in [37] . The difficulties lie 
in the fact that computational devices are vulnerable to security attacks 
and are easy to hack. Although SSL uses cryptography, modern browsers 
are vulnerable to attacks such as click-jacking, cross-site scripting, and 
man-in-the-browser attacks - as demonstrated against Helios 2.0 in m- 

Given that the computer of a voter can easily be hacked, in 2001 
Chaum proposed a breakthrough solution called “code voting” [7] where 
one can use a possibly hacked computer to perform a secure operation. 
In code voting, a voter receives through the postal mail a long enough 
unique code for every candidate. To vote, voters would just enter the code 
corresponding to the candidate of their choice. 

Chaum’s approach to code voting assumes the postal mail to be secure 
from a reliability and privacy viewpoint. This is not a valid assumption 
to make. Indeed, a collaboration of the postal service with the return¬ 
ing officeiEI may allow for the anonymity of all votes to be broken by 
divulging the identity of voters to whom specific voting codes were deliv¬ 
ered. Another problem H is that if one knows who is likely not to vote, 
Chaum’s scheme is not very secure against ballot stuffing. Furthermore, if 
malicious postmen do not deliver voting codes, this prevents voters from 
casting their votes®. If the election is tight and the number of undelivered 
ballots is high, this could undermine the reliability and trustworthiness 
of code voting through the postal service. So, one question we address is 
how we can make Chaum’s code voting secure against t passive insiders. 

returning officer oversees elections in one or more constituencies |44| . 

®Since we focus on a passive adversary, our paper does not address this attack. 





Obviously we need to maintain the anonymity of voters. One way 
to achieve anonymity is through the use of MIX-networks. These were 
first introduced by Chaum in [8] and are used in electronic voting. MIX- 
networks allow senders to input a number of (usually encrypted) mes¬ 
sages to a MIX-network which then outputs and delivers each message 
to all recipients without the receiver being able to identify the sender. 
Various ways with which MIX-networks are constructed are described in 
Section [2.II The main issue with such constructions is that they are based 
on tools based on computational assumptions which when used within the 
context of an electronic voting scheme only allows for conditional security 
thus conditional privacy and conditional anonymity to be achieved. 

Note that no conditional secure cryptosystem designed so far has with¬ 
stood cryptanalysis for more than 300 years. Quantum computers will 
undermine computational voting schemes cryptographers have proposed, 
in particular these based on ElGamal. For many goals, unconditionally 
secure solutions have already been proposed, e.g., since 1988 m we have 
unconditionally secure multiparty computation. This is a further motiva¬ 
tion for proposing an unconditionally secure voting scheme in which t 
insiders can be corrupted. Due to the revelations by Snowden m , some 
have questioned the security of the NIST standards [l2]. So, one can won¬ 
der whether we want to promote voting systems which might be broken, 
if not now, then in the future. The importance of requiring unconditional 
vote security is further highlighted with the following example: 

In 2020 Alice turns 18 and votes using a popular ElGamal based 
electronic voting scheme. 50 years later, Alice is a candidate for 
president of the USA. Imagine that in 2070 USA politics is going 
through a new McGarthy m witch hunt. Unfortunately for Alice, 
ElGamal security has since been broken. The newspapers find that 
Alice voted for the what is then considered the “wron^” party! 

In this paper we focus on unconditional security proposing alternative 
MIX constructions (using set systems and shares of messages), to gener¬ 
ate the correctness of the vote unconditionally. To counter technological 
threats and the possible influence of elections by foreign governments 
(where hardware are manufactured), our proposed Internet code voting 
solution uses the concept of diversity, first described in [23]. So, we employ 
a diversity of computing systems to achieve security in our proposed solu¬ 
tion. Using diversity of network paths we also ensure that any t-bounded 
adversarial presence is unable to break the privacy of any votes. We con¬ 
sider the t-bounded computationally unlimited adversary to be capable 


of taking control of any node between the vote authority and the voters 
which includes nodes in the MIX-network, nodes in the communication 
network or voters computational devices (through malware). It should be 
noted that we do not consider the human voters to be corruptible. 

The main part of our work assumes a passive adversary which can only 
observe but cannot cause deviation of protocol execution in any way. We 
also assumes that the adversary cannot look at the information on the 
whole network but only inside t nodes. Our solution considering an active 
adversary will be presented in a future full version of this paper. 

Considering a t-bounded adversary we emphasise the following: 

Important Statement 1 As shown in 124^ , when the number of cor¬ 
rupted nodes is at most t, the minimum number of disjoint paths to allow 
for private communication between a sender and a receiver is t -\-l. 

Corollary 1 Because of the above, voters will have to use a number of 
computing devices to securely receive (or dually send) their voting codes. 

The impact of Corollary [T] is not as bad as it might initially seem. Nowa¬ 
days, many people in developed countries can have ejfortless access to 
more than one device such as PC’s, laptops, smartphones and tablets. 
Such devices can include those they own or can access through friends 
and relatives or through public access (such as a library). Furthermore, 
each of these devices can be connected to a communication network in 
a different manner (Internet or cellular) which could be serviced by dif¬ 
ferent providers. These devices may run different operating systems (e.g. 
Windows, loS, Android) thus a threat to one device may not necessarily 
constitute a threat to another - even with the same user. 

Similar to the work of ISEo] which considers security protocols as 
used by humans who can execute them without relying on a fully trusted 
computer we do the same in this paper in the context of Internet voting. 

Motivated by all the above, we propose an unconditional Internet code 
voting protocol which is secure against the possible presence of an adver¬ 
sary and malware in the network and on voter’s devices respectively. We 
present solutions for single seat and multi-seat elections both of which are 
designed to be user friendly - so that human voters can use it correctly 
with high accuracj|§. In EVOTE2014 [36] the authors addressed a very 

®It should be noted that the main goal of our work is Internet code-voting secure 
against t insiders. The work of [6] is independent and their MIX servers are different 
using a homomorphic, unconditionally hiding commitment scheme to encrypt audit 
information and achieve unconditional security. Furthermore, their solution assumes 





similar problem as our current work. However, their solution achieves 
conditional security which could be broken in the future against a com¬ 
putationally unlimited adversary. Furthermore, the authors consider the 
adversary to be present in the MIX network only and do not take into 
account the possible presence of malware upon the tablets with which 
voters will use to cast their votes. Passive malware could possibly iden¬ 
tify to an adversary how someone voted, whereas active malware could 
alter the way someone votes - thus rigging the result of an election. 

When combined with m, one can view our proposed method for de¬ 
livering codes to voters as a distributed implementation of a one-time-pad- 
secured communication channel for votes. Because of this, our solution 
can also be used for other established code voting schemes as it is a way 
of removing the use of a possibly untrusted mail system and transmitting 
the voting codes securely, reliably and anonymously to voters. 

The text is organized as follows. Background and relevant previous 
work are presented in Section [2j In Section [3] a high level description of 
the protocol is given and we identify the required cryptographic tools. In 
Section |4] we provide a simplified version of the MIX private and anony¬ 
mous communication protocol. This is used in Section[5]in a more efficient 
manner where we present private and anonymous communication proto¬ 
cols for the transmission of voting codes to voters for single seat and 
multi seat elections. In Section [6] the electronic code voting protocol is 
presented and the security proof of the protocol is also given. 

2 Background and Previons Work 
2.1 Previous Work 

This section describes previous work related to various aspects to be 
presented in this paper. 

MIX-networks can be constructed using a shuffle (permutation). One 
way of achieving this [32139] is by using approaches which are based on 
zero-knowledge arguments [25g5]. In HZ] the use of zero-knowledge was 
avoided. MIX-networks based on zero-knowledge arguments can be used 

the use of two mix-networks one of which is private and thus cannot be corrupted by 
the adversary. Our solution does not make this assumption and instead counters the 
threat of the adversary presence for protocol correctness accordingly. However, due to 
the possible presence of malware the only way we know how to achieve this, is using 
unconditionally secure techniques achieved through the use of cover designs. Addition¬ 
ally we use results from previous work [20] which allows for humans to privately and 
reliably receive and decode messages, something achieved with unconditional security. 







in electronic voting protocols - as has been proposed in recent publica¬ 
tions p7l28] . Earlier work [38] similarly used shuffles in electronic voting 
based on zero-knowledge proofs. Other work on MIX-networks includes 
the work of Abe in [3|. 

Such constructions are based on computational assumptions which 
only allow for conditional security. The work we present is based on the 
stronger model of unconditional security. 

Anonymity in practice is difficult to achieve. One proposed implemen¬ 
tation was that of m but it was shown to be insecure in |43j . 

A voting scheme similar to the one we propose which achieves infor¬ 
mation theoretic security and requires the voter to carry out modular 
addition is that presented in [35j . Contrary to the voting scheme pro¬ 
posed in this paper, the work of |35| is not an Internet voting scheme as 
it requires voters to cast their votes at a polling station. 

The work of m describes an election scheme which requires compu¬ 
tational modular exponentiation operations to be carried out by voters. 
These operations require software or hardware. Furthermore, public key- 
cryptography is used, meaning that the security properties achieved are 
computational and not information theoretic - as achieved in our scheme. 

2.2 Message Transmission Secnrity Properties 

Below we define message transmission security properties which will be re¬ 
quired throughout the text. For formal definitions, see m- In our setting 
we have a single receiver S connected to m number of senders (ri, • • • , r^) 
over a possibly corrupt underlying network. 

(Perfectly) Correct - When the receiver accepts a message, it was 
sent by a sender S. 

(Perfectly) Reliable - When a sender S transmits a message, this 
message will be received by the receiver with probability 1. 

(Perfectly) Private - Only the designated receiver(s) can read a 
message transmitted by S. i.e., for any coalition of t parties, their proba¬ 
bility of correctly determining a message is the same whether the coalition 
is given their transmission view or not. 

(Perfect) Security - Means perfect correctness, perfect reliability 
and perfect privacy. 

(Perfectly) Anonymous - Considering the single receiver wants to 
receive m different messages over the network so that each of m num¬ 
ber of senders transmitted one of these messages (and each message is 
transmitted and received only once), perfect anonymity is achieved when 




for any coalition of t parties, their probability of correctly determining 
the sender of any message is the same whether the coalition observes 
the transmission view or not. In the context of Internet voting, perfect 
anonymity is achieved when the voting protocol used does not facilitate 
any party involved in the voting process to correlate any cast vote to a 
specific voter with greater probability than any other. 

2.3 Existential Honesty 

Some of our ideas use concepts of existential honesty, defined in m as: 

“It is possible to divide the MIX servers into blocks, which guar¬ 
antee that one block is free of dishonest MIX servers, assuming 
the number of dishonest MIX servers is bounded by t.” 

To achieve this, m defined and used the following (see also [201 Sec¬ 
tion 2.3] for an extensive description of set systems and how these relate 
to covering designs.): 

Definition 1 (|12j). A set system is a pair {X,B), where X = {1, 
2,..., m} and B is a collection of blocks Bi <Z X with z = 1, 2,... , 6. 

Definition 2 {X,B) is an {m,b,t)-verifiers set system if: 

1. |X| = m, 

2. \Bi\ = t 1 for i = 1,2,... ,b, and 

3. for any subset F C X with |E| < t, there exists a Bi £ B such that 

F n Si = 0. 

We assume that private channels connect MIX servers of correspond¬ 
ing blocks (i.e. when for block B^, MIX server MlX^^i needs to commu¬ 
nicate with MIX server MIX^+ij, where 1 < i,j < t -|- 1 and k < b, then 
there is a private channel). We also assume such channels between the 
receiver and MlXi^i and similarly, between MlX^^i and the sender. 

2.4 Human Perfectly Secure Message Transmission Protocols 

Perfectly secure message transmission (PSMT) protocols where the sender 
or receiver is a human were introduced in [20]. In such protocols it is as¬ 
sumed that the human receiver does not have access to a trusted device 
since these may be faulty and/or infected with malware. Because the re¬ 
ceiver is a human, such protocols aim to achieve perfectly secure message 
transmission (PSMT) in a computationally efficient and computationally 


simple manner. It is also important that the amount of information and 
operations the human receiver should process be kept to a minimum. 

Addition mod 10 was used by humans in these protocols [20] to recon¬ 
struct the secret message of the communication protocol from received 
shares through addition modlO. The idea of using addition modlO for 
human computable functions was also used in |5| but within a different 
security context. By regarding in m ■ 2^10 (+) as a subgroup of Sio the 
operation became very reliable for humans to perform. Experiments have 
shown that given clear, correct and precise instructions, coupled with vi¬ 
sual aids, allowed for the correct usage of these protocols by a very high 
percentage of human participants. 

2.5 Secure Multiparty Computation in Black-box Groups 

Black box multiparty computation protocols against a passive adversary 
for non-Abelian group have been presented in m and in [T6| through 
the use of a t-reliable re-coloring admissible planar graph. These papers 
studied in particular the existence of secure re-party protocols to com¬ 
pute the re-product function fcixi, • • • , Xn) := xi ■ ... ■ Xn where each 
participant is given the private input Xi from some non-Abelian group G 
where re > 2f -|- 1. It was assumed that the parties are only allowed to 
perform black-box operations in the finite group G, i.e., the group oper¬ 
ation {{x,y) I—>■ X • y), the group inversion [x i— x~^) and the uniformly 
random group sampling (x G). 

3 Secure Code Voting with Distributed Security 

In this section we provide a high level description of the secure code voting 
protocol we will present in this paper. We assume the reader is familiar 
with Chaum’s code voting scheme [7]. 

3.1 High Level Description 

We call Code Generation Entity (CGE) the entity in the code voting 
protocol which is responsible for creating the codes with which voters 
will cast their votes. These codes are unique and are sent to the voters so 
that each of these codes is used only once for the whole election. For single 
seat elections each voter receives as many codes as there are candidates. 
For multi-seat elections each voter receives a single permutation - which is 
a permutation of the alphabetical ordering of the candidates. After these 


codes pass through a MIX network, they will be sent to voters using 
perfectly secure message transmission, i.e. using secret sharing. Voters 
will receive each share using a different device, identify the shares which 
correspond to the candidate of their choice and reconstruct using human 
computation this voting code. To cast their vote, voters will send this code 
back to the CGE via the MIX servers, which perform inverse operations. 
For each of the received cast codes, the CGE will identify the candidate 
the code corresponds and will tally up the cast votes for each candidate. 

Our protocol does not use the mail system for the delivery of voting 
codes to voters, but instead these are sent by the CGE to voters over 
a MIX network and using PSMT. Similarly, cast votes will be sent by 
voters to the CGE over a network as explained in Section [6.31 

3.2 Required Cryptographic Tools 

The process should not facilitate the CGE (and indeed any t other parties) 
should not be able to identify that a specific voter (from the set of v voters) 
cast a particular vote. Furthermore, a number of the underlying network 
nodes may he corrupt. Even though secret sharing is used, any protocol 
should ensure that voting codes are not learned by any t parties apart 
from voters themselves, otherwise anonymity of votes could be broken. 

Human perfectly secure message transmission protocols as presented 
in m are employed. We rely on the feasibility tests performed which 
confirm that humans can perform these basic operations. We use the 
secret sharing scheme friendly to humans as presented in [2n( Section 2.2] 
which guarantees perfect privacy unconditionally. Except for the voters 
computing the codes from the shares they receive, all other computations 
are carried out by computers, of which no more than t of these are curious. 

4 Transmit and Reply Protocol 

In this section we present the first of the required primitives - a perfectly 
private and perfectly anonymous network communication protocol. For 
didactic purposes, the simplest form of our proposed protocol will be 
presented - with more efficient constructions described later. 

Suppose that we have a single receiver and v senders each of whom 
needs to receive a secret one time pad so as to sender a secret back to the 
receiver in an interactive anonymous wa 50 . 

^The dual problem is that instead of having v senders, we have v receivers and one 
sender. Obviously a solution for the first provides a similar solution for the second. 



We assume the passive adversary controls at most t MIX servers. As 
in Chaum’s work [8] and most conditional MIX servers, each MIX server 
is involved in one mixing in our protocol, t + 1 blocks of MIX servers 
will be required - denoted as i?i,..., Bt+i, with each block consisting of 
t + 1 MIX servers and we use ■ ■ ■ ■> 

to identify MIX servers of the block and call MIXj^^i “i?fc’s leader”. 

4.1 Protocol Main Idea 

The receiver will share each of the v one-time pads to transmit into t -|- 1 
shares using XOR. Each (of the t + 1) share will be given to a correspond¬ 
ing MIX server (i.e. one of the t -|- 1 servers) in the first block Bi. 

The shares of the one-time pad and those of the one-time pad 
might be transposed and will also be altered. To guarantee shares of the 
same pad stay together, the transpositions and alterations are chosen by 
the block leader. After the last MIX operation, the final block of MIX 
servers delivers the shares of the one time pad to the senders, with each 
sender reconstructing the received and altered one-time pad sent by the 
receiver. Each sender will then XOR the secret message to be sent to the 
receiver with the received altered one-time pad and send the result to 
the receiver over the MIX network. During this reverse transmission, the 
inverse alterations will be applied by each block leader. 

By XOR’ing the one time pad initially sent out by the receiver, the 
secret message sent by each sender can be obtained by the receiver. 

4.2 The MIX Communication Protocol - lA: Receiver to 
Sender Transmission 

We now present the steps in the MIX communication protocol for the 
transmission of the one-time pads from the receiver to the set of senders. 


Protocol 1 Private and Anonymous Communication Protocol 

Step 1 Let vrl be the one-time pad (where 1 < i < u). The receiver 
shares each -k} into t -|- 1 shares G F 21 using XOR (where 
1 < j < t-|- 1) and privately sends ttB to the corresponding MIX 
MIXij in block Bi. 

Step 2 The leader of Bi (we call MIXi^i) informs all others MIX servers 
in Bi how they have to permute the i-index of all above irjj. This 
permutation is dehned by pi S^- 


Step 3 
Step 4 
Step 5 


Step 6 
Step 7 


On the i indices all MIX servers in Bi apply the permutation pi. 

So, := 

The leader of Bi chooses t+1 random bit string modifiers ujjj Gij 
F 2 i and privately sends iojj to parties in Bi. 

For each (i, j) the t + 1 values are regarded as shares of vrl. 
Similarly, the t + 1 values Lujj are regarded as shares of cof. 

The MIX server in Bi computes = cjh + 7rh. are regarded 
as shares of vr^, the pi{i) permuted and modified one time pad. 
Steps 2-5 are repeated, incrementing by one the indices of Bi 
and i ?2 until the last block Bf, is reached. 

Shares held by MIX-servers of block i?t+i are denoted as 
MIXt+ij € Bt+i then sends to the sender. 


4.3 The MIX Communication Protocol - IB: Sender to 
Receiver Transmission 

Upon the end of the first phase, each sender reconstructs their respec¬ 
tive altered one-time pad using XOR over all shares received. Using this 
altered one-time pad, a sender encrypts their secret using XOR. 

Senders then proceed to send their encrypted secret to the leader of 
block Rt+i- These are then sent back to the receiver in much the same 
way as transmitted from receiver to sender, only this time, data are sent 
between leaders of MIX blocks, the inverse permutations will be applied 
and all modifiers used will now have be invalidated. Thus the leaders 
of each block of MIX servers will use the inverse permutations p'^^ and 
invalidation of modifiers — (invalidating using XOR). 

The data that are sent back to the receiver correspond to the en¬ 
crypted message transmitted by senders, and by applying XOR to this 
using the respective one-time pad, the secret message transmitted by 
senders can be obtained. 

It should be noted, that this anonymous and private communication 
protocol can be used for various practical applications. One such exam¬ 
ple is anonymous therapy sessions with extensions of the protocol also 
allowing for anonymous feedback. 

4.4 Security Proof 

In this section we present the security proof for Protocol [TJ 


Theorem 1. Protocol [7] is a reliable, private and anonymous message 
transmission protoeol. 

Proof. The protocol achieves perfect reliability due to the passive nature 
of the adversary. Perfect privacy is achieved as each one-time pad or 
encrypted message is “shared” over t + 1 shares. As each MIX server is 
used only once and as the adversary can control at most t MIX servers, 
secrecy of these transmitted data is retained. We now prove the perfect 
anonymity of the protocol - for simplicity of the proof we assume that 
there are only two messages (two one time pads). 

As t -|- 1 blocks of MIX servers are used and each MIX server is used 
only once, there exists a block Bi - 1 < i < b, free from adversary con¬ 
trolled MIX servers. Because of this, the adversary is unable to learn the 
modifiers and permutation which are added and implemented respectively 
to the shares of the messages. 

Assuming the adversary is present in Bj+i and absent from Bi, the 
view of the adversary of a share for both messages can be one of the 
following two possibilities: ), {ujl+7rf~ ,w^-|-7r}“ ) 

Obviously, the adversary cannot distinguish between the hrst and the 
second possibility as the modifiers and permutation used in block Bi are 
random and not learned by the adversary. Indeed, there exists an (w(, W 2 ) 
such that + + So, the adversary 

cannot distinguish whether the messages have been interchanged or not. 

Without loss of generality, the proof can be extended to any number 
V of messages. □ 

5 Reducing the Number of MIX Servers 

In this section we improve on the “Transmit and Reply Protocol” pre¬ 
sented in Section H] presenting a solution for the single seat election case 
where an Abelian group is used. 

Our solution uses Chaum’s code voting and considers a single receiver 
(e.g., CGE) and v human voters who each need to receive voting codes 
(one code per candidate) in a non-interactive anonymous way. We con¬ 
sider the CGE as the receiver and the human voters as the senders of the 
communication because at the end of the combined protocol, the human 
voters will send back to the CGE the voting code which corresponds to 
the candidate of their choice. We regard codes intended for the same re¬ 
ceiver as a long string and the MIX servers MIX the strings (i.e. those 
intended for different receivers). 


A more efficient network of MIX servers is used as our solution is not 
confined to using each MIX server only once, thus the total number of 
MIX operations done is b. We denote the set of MIX servers by X and 
assume we have an {X,B) set system, which is an (m, 6, t)-verifiers set 
system set system as defined in [T7]. We let = {MIX/^^i, MIXk^ 2 , ■ ■ ■, 
MlXk^t^i} and call MIX^^i leader”. 

The main idea of the protocol is very similar to the communication 
protocol of the previous section. This time, the receiver (e.g., CGE) will 
share each of the v messages to transmit using an appropriate secret 
sharing scheme (and not using XOR). In a similar fashion, messages are 
permuted and altered as they are transmitted within the MIX network. 
After the last MIX operation, the final block of MIX servers delivers the 
shares of messages to the senders, with each sender reconstructing the se¬ 
crets (voting codes) sent by the receiver. We will assume the transmission 
of the shares of these secrets uses the human friendly method presented 
in [20]. Similarly, since a code is only used once, it can be modified using 
addition over a finite Abelian group. To be compatible with [20] one such 
example is addition mod 10 over the group used. Senders will then trans¬ 
mit back to the receiver the voting code corresponding to their choice. 


5.1 Virtual Directed Acyclic Graphs 

When an Abelian group is used and when blocks of the (m, b, t)-verifiers 
set system can share common MIX servers between them, we define the 
construction of a virtual vertex-labeled Directed Acyclic Graph (DAG). 
The set of vertices of the DAG is composed of parties participating in the 
protocol (which is similar to Protocol [3|) , with the source of the graph 
being the receiver of the protocol and the sink being a sender. 

The directed edges of the DAG identify the transmission of messages 
from one party to another amongst different levels in the DAG. We define 
levels of the DAG as the receiver, a sender and the different blocks of MIX 
servers used. Gonsidering block Bi as a tuple (ordered set), when Bi is a 
block where \Bi\ = I and b a Bi, at location k in this tuple, we say that 
b is at position k. With the above definition, directed edges of the DAG 
will occur (i) from the receiver to all bj in Bi {1 < j < 1), (h) from each 
bj in block B^ to the sender, (iii) moreover, we have edges between nodes 
in Bi and nodes in The following is required; 

1. If a unique color was to be assigned to each party of the protocol, 
based on the results of m, the sender and receiver can privately 


communicate, if when choosing any t colours and removing the ver¬ 
tices of the DAG with those t colours the sender and receiver remain 
connected - meaning that there still exists a directed path from the 
sender to the receiver on the reduced DAG. 

2. We require that if at level k the parties in receive shares of irf, the 
parties in (i.e., at level k + 1) receive shares of 

Two methods can be used to achieve the above requirements. One uses 
re-sharing - such as the redistribution scheme described in |15] . The other 
uses a large set of MIX servers X to guarantee the following property. 

Definition 3. We say that set X of MIX servers is under t-confinement 
if all members of set T where |T| = t appear in at most t positions over 
all blocks of MIX servers used and this for all T C X where \T\ = t. 

It is easy to see that the above satisfies the DAG requirements. 

5.2 The MIX Protocol 

In the case of Internet voting this is used as a pre-voting protocol for the 
transmission of voting codes to voters and it is used to achieve anonymity 
of voting codes. We assume S' to be a finite Abelian group and denote 
with V the number of senders, and thus the number of messages (sets 
of voting codes) that need to be transmitted. In the following, we only 
describe the required difference when compared to Protocol [T] 

Protocol 2 Private and Anonymous Random Communication Protocol 

Step 1 Let Si be the message (where 1 < z < n). The sender shares 
each Si by choosing I shares vrl^- S (using an appropriate 
secret sharing scheme over an Abelian group where 1 < j < 1) 
and privately sends vrl^- to the corresponding party Bij in Bi. 

— As an (m, b, t)-verifiers set system is used, / = t -|- 1 denotes 
the number of shares. 

Step 2 Same as in Protocol [TJ 
Step 3 Same as in Protocol [TJ 

Step 4 The leader of Bi chooses modifiers ujjj S and privately sends 
Lvjj to parties in Bi. 

Step 5 Similar as in Protocol [T] Only: 

The MIX servers in Bi compute shares of nf = ujj -\-7rj, i.e. party 
Pj G Bi adds the modifiers it receives from the leader of Bi to 
the share(s) it holds. The shares of the tt? are denoted as vrA. 


Step 6 If the concept of t-confinement is not used, re-sharing of shares 
TT?^- is carried by out by parties in Bi using the redistribution 
scheme described in m- That means that each party in B 2 re¬ 
ceives I = t + 1 values, which they then compress. 

Step 7 Steps 2-5 are repeated incrementing by one the indices of Bi and 
B 2 until the last block Bj, is reached. For all iterations - except 
when the last block Bb is reached, Step 6 is also repeated (except 
if t-confinement is used). 

Step 8 If t-confinement is not used, shares held by the MIX-servers of 
block Bb are re-shared. 

Step 9 Shares held by MIX-servers of block Bb are denoted as 
MIXbj G Bb then sends 4>i,j to the voter using m- 

It should be noted, that as in [20], MIX servers will send shares to voters 
using network disjoint paths, as the communication network cannot be 
trusted with the adversary capable of listening to at most t of these paths. 
The way voters cast their vote will be described in Section |6l 


5.3 Security Proof 

In this section we present the security proof for Protocol [2j 

Corollary 2 Protocol is a reliable, private and anonymous message 
transmission protoeol. 

Proof. Formally, we have: 

Perfect Reliability - This is the same as in Theorem [TJ 
Perfect Privacy - The protocol achieves perfect privacy as each message 
is “shared” over I = t + 1 shares. In the case of t-confinement, the view of 
the adversary will consist of at most t shares. This number is one less that 
the number required to reconstruct a secret and thus perfect privacy is 
achieved. In the case of re-sharing, the re-sharing guarantees that shares 
at level i are independent of those at level i + 1 (note that the adversarial 
parties are passive). The rest follows from [T8| and through the use of 
re-sharing or t-confinement. When using re-sharing we ensure that there 
is no cut of t vertices (colors) that can disconnect the sender and the 
receiver. This is because the resharing of shares makes certain that the 
parties in block bi receive shares from t + \ parties in block 6j_i. So, any 
adversarial t parties in block 5j_i will not allow to cut the graph. It is easy 
to see that the condition of [T8| (i.e. no t parties are able to cut a graph) 
is satisfied when using t-confinement thus allowing for secure solutions. 


Perfect Anonymity - This is very similar to the anonymity proof of 
Theorem [1] The only difference is that now where a lower number of 
MIX servers are used, due to Property 3 from the definition of verifier set 
systems, there exists a block bt - 1 < i < b, free from adversary controlled 
MIX servers. Because of this, the adversary is unable to learn the modi¬ 
fiers and permutation which are added and implemented respectively to 
the shares of the messages. □ 

5.4 Use of non-Abelian Gronp - Mnlti-seat Election Case 

When a non-Abelian group is used, the protocol is similar to that pre¬ 
sented in Section [5.21 Due to the non-Abelian nature of the group, alter¬ 
native additional techniques will have to be employed to manage the fact 
that dealing with shares cannot be done locally (due to the multiplica¬ 
tion) thus this needs to be shared and securely computed among many 
parties using techniques presented in m- 

Suppose we have an election in which we have s seats in which every 
voter can vote for up to s of the c candidates - where s < c. To enable 
blinding of the code, we give to each voter a secret permutation tt E 5c, 
where Sc is the symmetric group. For each favourite candidate i the voter 
wants to vote for, 7r(f) is transmitted to the returning officer. 

Note that vr is not necessarily unique to the election, as opposed to 
Chaum’s code voting. The protocol is organised to avoid that this cre¬ 
ates a problem. In the case of Internet voting, the following protocol is 
used as a pre-voting protocol, for the transmission of v number of voting 
“codes” (i.e. permutations) to v number of voters and it is used to achieve 
anonymity of voting codes. We assume 5 = 5c to be a finite non-Abelian 
group. 

It should be noted that the protocol to be presented is only useful 
for the private and anonymous transmission of permutations with which 
receivers can cast their vote. 

Protocol 3 Private and Anonymous Random Communication Protocol 

Step 1 Same as in Protocol [2] only now a non-Abelian group is used and 
permutations are transmitted. 

Step 2 The leader of B 2 chooses modifiers ujC Ei? 5(, and privately sends 
iofj to parties in B 2 such that the I values cufj are regarded as 
shares of 


®As shown in [16], to securely compute tt and uj where tt is chosen by one party and 
LO by another, we need 2t -|- 1 parties where t parties are curious. To mimic as closely 



Step 3 For each (i,j) the I values Trj^ are regarded as shares of vrl. 

The MIX servers in X[ 2 — ^ where |X( 2 I > 2t + 1 and Bi U 
B 2 C 2 compute shares of Tv'f = uJf o using a black box 
non-Abelian multiparty computation protocol^ (see Section [23]) . 
This is done so that oof blinds nj. The shares of the product are 
denoted as nfj and are obtained by the partied in B 2 ■ 

Step 4 The leader of B 2 informs all other MIX servers in B 2 how they 
have to permute the i-index of all shares they hold from the 
above operations. This permutation is defined by p 2 €r S^. On 
the i indices the MIX servers in B 2 apply the permutation p 2 . 

Step 5 The above three steps are repeated by incrementing by one the 
indices of Bi and B 2 (thus B^ 7 ^ After parties in B^ 

permute the i indices of using pk - where 2 < k <h — 1, the 
leader of Bk+i chooses modifiers ujfj S^. which are given to 
parties in B^ , the black box non-Abelian multiparty computation 
sub-protocol is executed by parties in C X where Bf^ U 

Bk+i C l^fc,fc-i-il > 2t -|- I and the process continues till 

the hnal block of servers Bh is reached. 

Step 6 After parties in Bi, permute the i indices of using pb, the 
leader of Bi chooses modifiers ui}^ £r S^. which are given to 
parties in Bi, the black box non-Abelian multiparty computation 
sub-protocol is executed between parties in block Bb and Bi and 
the output of which is held by parties in Bi. MlXi^j G Bi sends 
the output it holds to the voter using 


It should be noted, that as in [20], MIX servers will send shares to voters 
using network disjoint paths, as the communication network cannot be 
trusted with the adversary capable of listening to at most t of these 
paths. The way voters will use what they receive to cast their vote will 
be described in Section [ 6 l 

We now present the security proof for Protocol [3l 


as possible the working of [16], is chosen by the leader of B 2 and not by the leader 
ofBi. 

®Note that the MIX servers in Bi UB 2 can also be a in X '12 where > 2t-|- 1. 

Additionally, the efficiency of black box non-Abelian multiparty computation protocols 
is better when >> 2t -I- 1. 

'^^Note that [16] allows to organise the computation such that the output, i.e. shares 
of TTi, are received by parties in B 2 . 



Theorem 2. Provided Protocol\^ together with the appropriate black box 
non-Abelian multiparty computation sub-protocol is used, then Protocol\^ 
is a reliable, private and anonymous random transmission protocol. 

The proof of the above theorem is similar to the proof of Theorem [H but 
relying on either 

6 Electronic Code Voting Protocol 

In this section we outline how components of previous sections are com¬ 
bined. 

6.1 Preparation, Mixing and Transmission of Voting Codes 

As described in Section [XT] the CGE is responsible for creating the codes 
with which voters will cast their votes. We first explain this for the single¬ 
seat election. 

Considering an election has c number of candidates and that there are 
V number of voters, the CGE will create v random initial codes for each of 
the c candidates. In total, cxv unique number of codes will be generated. 
The CGE will then group these codes to form v number of c — tuples, 
with each tuple containing a single code for each of the c candidates. 

Each of these codes will then be transmitted as one-time pads to the 
voters in the same way as described by Protocol [2j It should be noted 
that Protocol [2] describes the transmission of only v codes as opposed to 
cxv required by the voting protocol. To transmit all the voting codes, 
c executions of Protocol [2] will be executed at the same time. These ex¬ 
ecutions should not be independent between them but instead should use 
the same permutations {p Gr in Step 2) and modifiers {ujij in Step 4) 
used throughout all executions of the protocol, i.e. the same modifier is 
used for all codes the same voters will receive and they remain bundled 
together (i.e. by reusing p). These c executions can be carried out either 
in parallel or sequentially, as long as each voter receives c voting codes. 

In the case of multi-seat elections, each voter will receive a single 
permutation over Sc - which is a permutation of the alphabetical ordering 
of the candidates. Moreover, Protocol [3] will be used. 

6.2 Receiving and Reconstructing Voting Codes 

We first explain the single-seat case. Each voter will receive I = t-\-l shares 
for each voting code, receiving each one using a different computational 




device. It should be noted that the share of each of the c voting codes 
will be received upon the same computational device. 

The voter can then identify the code which corresponds to the candi¬ 
date of their choice. Once all pieces of each code are received, the code 
corresponding to their choice can be reconstructed in a similar manner 
as described in Section Eai 

In the multi-seat election, instead of receiving a c-tuple, a single per¬ 
mutation is received - which is a permutation of the alphabetical ordering 
of the candidates. Similar to the single seat case, t+1 shares of this permu¬ 
tation will be received by the voter who will reconstruct the permutation 
as described in m Section 4.2, Section 4.3]. This will allow the voter to 
identify the candidates of their choice. Supposing the voter wants to vote 
for candidate c and candidate c', the reconstruction of the permutation 
will help the voter identify 7r(c) and vr(c') which correspond to the can¬ 
didates of their choice. To cast their vote, voters will have to send back 
to the CGE these 7r(c) and values. 


6.3 Transmission, Mixing and Counting of Cast Votes 

We first explain this for the single-seat case. A voter identifies the code 
corresponding to the candidate of their choice and sends this code back 
to the CGE by transmitting this code to the leader of the last block of 
MIX. 

To transmit voter codes in the reverse direction (towards the CGE), 
the leaders of each block of MIX servers will have to carry out the reserve 
operations on the codes. Thus the inverse permutations {p^^) and modi¬ 
fiers {—ujf ) are used. Once a code arrives to the CGE, it will identify the 
candidate it corresponds to and the vote will be counted. 

The multi-seat case is similar. Once a voter identihes one of the '7r(c) 
which corresponds to one of their chosen candidates, they will have to 
send this 7r(c) to the leader of the last block of MIX servers. Similar to 
the single-seat case, the reserve operations on the codes will have to be 
carried out Once a voter’s 7r(c) arrives to the CGE, the CGE will apply 
7r“^ and identify the candidate the voting corresponds to and the vote 
will be counted. 
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